During installation, a certificate that is specific for CAPF gets generated. This CAPF certificate, which the Cisco CTL Client copies to all Cisco Unified Communications Manager servers in the cluster, uses the .0 extension.

Cisco Unified IP Phone and CAPF Interaction

When the phone interacts with CAPF, the phone authenticates itself to CAPF by using an authentication string, existing MIC or LSC certificate, or "null," generates its public key and private key pair, and then forwards its public key to the CAPF server in a signed message. The private key remains in the phone and never gets exposed externally. CAPF signs the phone certificate and then sends the certificate back to the phone in a signed message.

The following information applies when a communication or power failure occurs.

•If a communication failure occurs while the certificate installation is taking place on the phone, the phone will attempt to obtain the certificate three more times in 30-second intervals. You cannot configure these values.

•If a power failure occurs while the phone attempts a session with CAPF, the phone will use the authentication mode that is stored in flash; that is, if the phone cannot load the new configuration file from the TFTP server after the phone reboots. After the certificate operation completes, the system clears the value in flash.

Tip Be aware that the phone user can abort the certificate operation or view the operation status on the phone.

Tip Key generation, which is set at low priority, allows the phone to function while the action occurs. You may notice that key generation takes up to 30 or more minutes to complete.

Although the phone functions during certification generation, additional TLS traffic may cause minimal call-processing interruptions with the phone; for example, audio glitches may occur when the certificate is written to flash at the end of the installation.

Consider the following information about how CAPF interacts with the Cisco Unified IP Phone 7960G and 7940G when the phone is reset by a user or by Cisco Unified Communications Manager.

Note In the following examples, if the LSC does not already exist in the phone and if By Existing Certificate is chosen for the CAPF Authentication Mode, the CAPF certificate operation fails.

Example—Nonsecure Device Security Mode

In this example, the phone resets after you configure the Device Security Mode to Nonsecure and the CAPF Authentication Mode to By Null String or By Existing Certificate (Precedence...). After the phone resets, it immediately registers with the primary Cisco Unified Communications Manager and receives the configuration file. The phone then automatically initiates a session with CAPF to download the LSC. After the phone installs the LSC, configure the Device Security Mode to Authenticated or Encrypted.

Example—Authenticated/Encrypted Device Security Mode

In this example, the phone resets after you configure the Device Security Mode to Authenticated or Encrypted and the CAPF Authentication Mode to By Null String or By Existing Certificate (Precedence...). The phone does not register with the primary Cisco Unified Communications Manager until the CAPF session ends and the phone installs the LSC. After the session ends, the phone registers and immediately runs in authenticated or encrypted mode.

You cannot configure By Authentication String in this example because the phone does not automatically contact the CAPF server; the registration fails if the phone does not have a valid LSC.

CAPF Interaction with IPv6 Addressing

CAPF can issue and upgrade certificates to a phone that uses an IPv4, an IPv6, or both types of addresses. To issue or upgrade certificates for phones that are running SCCP that use an IPv6 address, you must set the Enable IPv6 service parameter to True in Cisco Unified Communications Manager Administration.

When the phone connects to CAPF to get a certificate, CAPF uses the configuration from the Enable IPv6 enterprise parameter to determine whether to issue or upgrade the certificate to the phone. If the enterprise parameter is set to False, CAPF ignores/rejects connections from phones that use IPv6 addresses, and the phone does not receive the certificate.

Table 10-1 describes how a phone that has an IPv4, IPv6, or both types of addresses connects to CAPF.

Table 10-1 How IPv6 or IPv4 Phone Connects to CAPF

IP Mode of Phone

IP Addresses on Phone

CAPF IP Address

How Phone Connects to CAPF

Dual-stack

IPv4 and IPv6 available

IPv4, IPv6

Phone uses an IPv6 address to connect to CAPF; if the phone cannot connect via an IPv6 address, it attempts to connect by using an IPv4 address.

Dual-stack

IPv4

IPv4, IPv6

Phone uses an IPv4 address to connect to CAPF.

Dual-stack

IPv6

IPv4, IPv6

Phone uses an IPv6 address to connect to CAPF. If the attempt fails, the phone uses an IPv4 address to connect to CAPF.

Dual-stack

IPv4

IPv4

Phone uses an IPv4 address to connect to CAPF.

Dual-stack

IPv4 and IPv6 available

IPv6

Phone uses and IPv6 address to connect to CAPF.

Dual-stack

IPv4 and IPv6 available

IPv4

Phone uses an IPv4 address to connect to CAPF.

Dual-stack

IPv4

IPv6

Phone cannot connect to CAPF.

Dual-stack

IPv6

IPv4

Phone cannot connect to CAPF.

Dual-stack

IPv6

IPv6

Phone uses an IPv6 address to connect to CAPF.

IPv4

IPv4

IPv4, IPv6

Phone uses an IPv4 address to connect to CAPF.

IPv6

IPv6

IPv4, IPv6

Phone uses an IPv6 address to connect to CAPF.

IPv4

IPv4

IPv4

Phone uses an IPv4 address to connect to CAPF.

IPv4

IPv4

IPv6

Phone cannot connect to CAPF.

IPv6

IPv6

IPv6

Phone uses an IPv6 address to connect to CAPF.

IPv6

IPv6

IPv4

Phone cannot connect to CAPF.

CAPF System Interactions and Requirements

The following requirements exist for CAPF:

•Before you use CAPF, ensure that you performed all necessary tasks to install and configure the Cisco CTL Client. To use CAPF, you must activate the Cisco Certificate Authority Proxy Function service on the first node.

•During a certificate upgrade or install operation, if By Authentication String is the CAPF authentication method for the phone, you must enter the same authentication string on the phone after the operation, or the operation will fail. If TFTP Encrypted Configuration enterprise parameter is enabled and you fail to enter the authentication string, the phone may fail and may not recover until the matching authentication string is entered on the phone.

•Cisco strongly recommends that you use CAPF during a scheduled maintenance window because generating many certificates at the same time may cause call-processing interruptions.

•All servers in the Cisco Unified Communications Manager cluster must use the same administrator username and password, so CAPF can authenticate to all servers in the cluster.

•Ensure that the first node is functional and running during the entire certificate operation.

•Ensure that the phone is functional during the entire certificate operation.

•If a secure phone gets moved to another cluster, the Cisco Unified Communications Manager will not trust the LSC certificate that the phone sends because it was issued by another CAPF, whose certificate is not in the CTL file. To enable the secure phone to register, delete the existing CTL file by using the "Deleting the CTL File on the Cisco Unified IP Phone" section. You can then use the Install/Upgrade option to install a new LSC certificate with the new CAPF and reset the phone for the new CTL file (or use the MIC). Use the Delete option in the CAPF section on the Phone Configuration window to delete the existing LSC before you move the phones.

Tip If you used the CAPF utility with Cisco Unified Communications Manager 4.0 and verified that the CAPF data exists in the Cisco Unified Communications Manager database, you can delete the CAPF utility that you used with Cisco Unified Communications Manager 4.0.

•Phone documentation that supports your phone model and this version of Cisco Unified Communications Manager

Activating the Certificate Authority Proxy Function Service

If you did not activate this service before you installed and configured the Cisco CTL Client, you must update the CTL file, as described in "Updating the CTL File" section. Activate this service only on the first node.

Updating CAPF Service Parameters

The CAPF Service Parameter window provides information on the number of years that the certificate is valid, the maximum number of times that the system retries to generate the key, the key size, and so on.

•Install/Upgrade—Installs a new or upgrades an existing locally significant certificate in the phone.

•Delete—Deletes the locally significant certificate that exists in the phone.

•Troubleshoot—Retrieves the locally significant certificate (LSC) or the manufacture-installed certificate (MIC), so you can view the certificate credentials in the CAPF trace file. If both certificate types exist in the phone, Cisco Unified Communications Manager creates two trace files, one for each certificate type.

Tip By choosing the Troubleshoot option, you can verify that an LSC or MIC exists in the phone. The Delete and Troubleshoot options do not display if a certificate does not exist in the phone.

Authentication String

If you chose the By Authentication String option, this field applies. Manually enter a string or generate a string by clicking the Generate String button. Ensure that the string contains 4 to 10 digits.

If you want CAPF to automatically generate an authentication string, click this button. The 4- to 10-digit authentication string displays in the Authentication String field.

Operation Completes by

This field, which supports all certificate operation options, specifies the date and time by which you must complete the operation.

The values that display apply for the first node.

Operation Status

This field displays the progress of the certificate operation; for example, <operation type> pending, failed, or successful, where operating type equals the Install/Upgrade, Delete, or Troubleshoot certificate operation options. You cannot change the information that displays in this field.

Finding Phones on Basis of LSC Status or Authentication String

To find phones on the basis of certificate operation status or the authentication string, perform the following procedure:

The Find and List window displays. Records from an active (prior) query may also display in the window.

Step 2 From the first drop-down list box, choose one of the following options:

•LSC Status—Choosing this option returns a list of phones that use CAPF to install, upgrade, delete, or troubleshoot locally significant certificates.

•Authentication String—Choosing this option returns a list of phones with an authentication string that is specified in the Authentication String field.

Step 3 From the second drop-down list box, choose a search pattern.

Step 4 Specify the appropriate search text, if applicable.

Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.

Step 5 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 6 From the list of records that display, click the link for the record that you want to view.

Note To reverse the sort order, click the up or down arrow, if available, in the list header.

Generating a CAPF Report

If you want to do so, you can generate a CAPF report to view the status of the certificate operation, the authentication string, security profile, authentication mode, and so on. The report includes information such as device name, device description, security profile, authentication string, authentication mode, LSC status, and so on.

The Find/List window displays. Records from an active (prior) query may also display in the window.

Step 2 To find all records in the database, ensure the dialog box is empty; go to Step 3.

To filter or search records

•From the first drop-down list box, choose a search parameter.

•From the second drop-down list box, choose a search pattern.

•Specify the appropriate search text, if applicable.

Note To add additional search criteria, click the + button. When you add criteria, the system searches for a record that matches all criteria that you specify. To remove criteria, click the - button to remove the last added criterion or click the Clear Filter button to remove all added search criteria.

Step 3 Click Find.

All matching records display. You can change the number of items that display on each page by choosing a different value from the Rows per Page drop-down list box.

Step 5 When prompted for the authentication string, enter the string that the system provides and press the Submit softkey.

The phone installs, updates, deletes, or fetches the certificate, depending on the current CAPF configuration.

You can monitor the progress of the certificate operation by viewing the messages that display on the phone. After you press Submit, the message "Pending" displays under the LSC option. The phone generates the public and private key pair and displays the information on the phone. When the phone successfully completes the process, the phone displays a successful message. If the phone displays a failure message, you entered the wrong authentication string or did not enable the phone for upgrade.